GDPR and the race for compliance
GC reports on how businesses are preparing for the EU’s upcoming General Data Protection Regulation deadline.
Editor and features writer
1998 seems like a lifetime ago, where global e-commerce was a futuristic fantasy for ordinary people just discovering the internet. Yet 1998 was year zero for the European Union’s Data Protection Directive – the basis for legislation protecting personal data across member states today.
But over the past two decades, digitalisation has detonated a data explosion, giving rise to data mining on a level of sophistication and scale that was unthinkable at the time the Directive was conceived. In keeping with the spirit of our globalised age, data, like everything else, is ‘big’ – and so are the threats.
‘A lot of times, companies don’t realise the value of the data that they hold – it’s about valuing what it’s worth to a bad person,’ says Cal Leeming, CEO at cyber protection firm, Lyons Leeming.
Leeming argues that even high-profile data breaches have not dramatically impacted companies in the long term, with penalties, brand damage and stock price falls often being short-term hits.
But on 25 May 2018, that is all set to change, with the implementation deadline for the General Data Protection Regulation (GDPR), an updated framework for data protection across the EU. The Regulation forms part of the European Commission’s digital single market strategy, aiming to harmonise data privacy laws across EU member states. It also brings good data practices more sharply into focus by putting them on a statutory footing.
The fundamental tenets of the GDPR are transparency and accountability to individuals, or ‘data subjects’. Organisations must be clear about why they are collecting data, and subjects must be able to access, update and, in some cases, delete that data, as well as withdraw consent for using it. What is more, compliance with GDPR alone is insufficient – organisations must document and demonstrate exactly how they are compliant and provide a clear point of contact for individuals who wish to exercise their rights.
Much of this regulatory upgrade echoes the principles from 1998, albeit much more explicitly. But potentially crippling penalties of up to 4% of global annual turnover or €20m for the most serious infringements have forced even non-EU domiciled organisations to take notice. That’s because the GDPR expands jurisdictional reach to include personal data processing of subjects if they are based in the EU, even if the entity in question is not.
Vive la révolution?Consequently, the GDPR has generated a lot of fear. But Garreth Cameron, policy and engagement group manager at the Information Commissioner’s Office (ICO), the UK’s independent information regulator, strikes a reassuring tone.
‘A lot of the processing that people do, a lot of their business practices, will largely remain the same because the law has evolved, it’s not fundamentally different – the same building blocks are there,’ says Cameron. Many large organisations agree with this sentiment. Nina Barakzai, group head of data protection and privacy at Sky, feels that the Regulation will help businesses, not hinder them.
‘There is a lot of hype around the GDPR, but most businesses that take their confidentiality and data protection obligations seriously are probably already in a place to capture the evidence they need. In reality, the new regulations are a welcome update to existing European laws. They have the benefit of harmonising requirements across the European Economic Area (EEA) and building a more consistent understanding of personal data in European jurisdictions,’ says Barakzai.
‘The benefit of this is to create a form of shorthand, as industries, companies, and parties processing personal data can work with common definitions, standardised conceptual frameworks and published guidelines from regulators. This makes it quicker to share data, transfer it internationally and keep it secure to a consistent standard. The extraterritoriality of the regulations helps build this approach out to jurisdictions outside the EEA, to give international data flows a level of certainty of protection for the data subject.’
Although the GDPR is about synchronicity, each EU member state’s experience in legislating for and adjusting to the new regime will be different. Suzanne Rodway, group head of privacy at RBS, believes that because the UK has had one of the more pragmatic data protection regimes in Europe, GDPR implementation feels like a bigger stretch for UK-headquartered businesses.
‘You hear some European regulators say “it’s evolution, not revolution”. I think in the UK, it’s revolution,’ says Rodway. But rather than framing the GDPR as another set of rules, the ICO positions compliance as a tool for correcting the very low levels of trust between businesses and UK consumers.
‘Every year we run an annual survey, where we ask a representative number of people how they feel their data is being used. The key headline is that only one in four UK adults trusted businesses with their personal information; only 16% agreed that businesses were being transparent in their data use; and only 21% thought that businesses would keep their data secure. That’s bad for consumers and bad for business,’ adds Cameron.
The right skillsThe GDPR represents major challenges for organisations, especially given the relatively short transition period between the legislation’s adoption in April 2016 to its enforcement in May 2018. Organisations must have an appropriately skilled contact person in place to take responsibility for compliance and, for many (particularly public authorities, organisations carrying out large-scale monitoring and those that process special categories of sensitive data on a large scale), that means hiring a data protection officer (DPO).
Data protection recruitment often falls to the general counsel and, although the role doesn’t inherently require them, there is often a premium placed on legal skills. According to some, however, filtering out those with non-legal backgrounds might be the wrong approach.
‘I know there are quite a few who feel there is a glass ceiling if you didn’t train as a lawyer. It helps to have some lawyers so you can get privilege and things like that, but you need compliance skills or risk skills or alternative metrics to help you do all aspects of privacy,’ says Rodway.
A mix of skillsets is necessary, not least because top-level data protection and privacy candidates are becoming thin on the ground. ‘There is a war on talent’, says Chris Hurst at executive search consultancy Carlyle Kingswood. The high stakes of getting on the wrong side of the GDPR mean that organisations are looking for experienced, heavy-lifting professionals and, in some cases, are letting them write their own job descriptions. The importance of getting the right DPO has also led to some churn.
The fundamental tenets of the GDPR are transparency and accountability to individuals, or ‘data subjects’.
The GDPR stipulates that the DPO must report at board level, but in reality, they must be able to influence both up and down their organisation. That means the ability to communicate throughout the organisation and synthesise data protection principles with strategic business imperatives, as well as provide appropriate training, are essential skills.
‘Fundamentally, underlying a lot of this is business change and so you really need people who are influential, who really understand how you implement change within organisations,’ says Cameron.
Unfortunately, finding the right person might not be the end of the road. ‘Poaching’ of top talent has become an issue, meaning that companies are forced to offer considerable incentive packages. And with law firms struggling to resource their expanding rosters of clients, external help could also be hard to find. For data and privacy specialists at the highest levels, says Hurst, ‘It really is their moment’.
Systems upgradeWhen the company has crystallised what actions are necessary, systems might need to be upgraded. Improving (or even building) the functionality to archive, track data flows, apply anonymisation and mitigate problems caused by removing data fields can be difficult, especially in large organisations. In addition, processes must be configured to allow the level of data control required for members of the public to exercise their right to transparency.
‘Businesses really need to be prepared as a customer services supply issue as well as a legal compliance one, says Cameron.
‘Subject access requests can be very time-consuming and expensive, which is really a symptom of not having good management of data. Those organisations that are running on very outdated infrastructure, or a legacy system where it’s very hard to draw together the information, are going find it more problematic.’
Businesses must also be sophisticated enough to spot breaches, and notify their domestic data protection regulatory authority (or, in some cases, the individuals concerned) as laid out in the Regulation.
ConsentCameron says that companies and their employees will need to have a better understanding of data protection law on a day-to-day basis, because the GDPR requires organisations to articulate a legal condition for processing personal data – something they might have not thought too coherently about in the past – and to be clear with individuals about what that condition is.
In many cases, data controllers will look to consent to provide their legal basis for processing. But the GDPR is stringent about how organisations must inform individuals in order to obtain their consent for intended activities, strengthening awareness around the issue and providing detailed instructions to controllers about what information they must provide to data subjects. Fundamentally, consent shouldn’t be inferred, it should be specific, informed, freely given and an affirmative indication of an individual’s wishes.
‘The consent needs to be unbundled – so we can’t ask for consent for everything, for example: “By ticking these boxes we accept to receive email magazines or communications, or emails from third parties, from partner companies XYZ”,’ says Maria Lobato, data protection officer at UK-headquartered retailer Mothercare.
‘It’s a very big deal because of the number of things that you have to say and ask. Now we need to be creative enough to collect the consent in a customer-friendly manner and to ensure we are clear and transparent in the way we do it.’
Preparing for the new normalWhile the GDPR has been widely reported on, much is still yet to be confirmed. In the UK, although the government has released a statement of intent, the full text of its Data Protection Bill, which will codify the GDPR into UK law, is yet to be seen at the time of writing.
Exactly what standard clauses and other practical applications will look like will also need to be ironed out in due course. RBS was one of the first banks to negotiate new terms and conditions for third party vendors, only to be met with a bewildered response from some suppliers.
Rodway says the difficulty is that ‘No one knows what standard business terms look like yet. No one knows what normal is’.
While the GDPR has been widely reported on, much is still yet to be confirmed.
This uncertainty extends to enforcement, with organisations waiting to see how certain aspects of compliance will be interpreted and applied, as well as for a body of case law that can only be built up once the GDPR comes into force.
‘I think a lot of organisations are applying a risk-based approach, to get as much of the high-risk stuff done as they can by the deadline, acknowledging that there may be an additional backlog of work that will continue post-2018,’ she says.
‘Some may have vendors who refuse to accept your new terms and conditions, so you may have to wait until the contract is up for renewal and things like that – so having a hard deadline doesn’t necessarily mean that everything can be completed.’
Worse, there are still a number of organisations panicking about how to set up a programme for GDPR compliance. Rodway predicts that, in the UK at least, the regulatory response will be to assess the extent to which compliance has been attempted, rather than issue massive fines from day one.
BrexitAs far as the UK is concerned, the elephant in the room is Brexit. As a soon-to-be-ex-EU member, the UK could, theoretically, escape the GDPR’s gaze after 2019. However, all indications are that this will not be the case – and that businesses don’t desire a slimmed-down version.
Cameron says that the UK government’s announcement of its Data Protection Bill is a signal to businesses that data protection remains a top priority, irrespective of Brexit.
‘Data by its very nature is the fluid by which trade moves, and it’s absolutely vital for us to have unencumbered transfers across national boundaries. It’s very important that data protection doesn’t become a barrier to UK companies being able to trade with the EU, so I think that’s going to be a real relief for businesses. Certainly, all of the organisations and representative groups that I speak to are really keen to ensure that we have strong data protection laws,’ he says.
Rodway also takes the view that there will be no dramatic divergence between the European and UK positions on data protection, citing the importance of agreed adequacy as a key incentive for the UK government to ensure equivalence.
‘There’s a huge amount of discussion going on with the government and the ICO around how we make sure that we don’t have a cliff edge where we suddenly lose our ability to freely share data overnight. What we want to do is go through that adequacy process as early as we can, and hopefully the European Commission will say that the UK has implemented GDPR like for like and their laws are obviously adequate, and then fast track us through there,’ she explains.
In the future, however, Darren Jones, MP for Bristol North West (and former lawyer at BT Consumer leading on GDPR implementation), thinks there could be scope for using data protection legislation to improve Britain’s competitiveness in the global data economy.
‘The first job is to ensure legislative equivalence before any Brexit date. But, I’m just thinking aloud here, if the ICO only charges 3% of global turnover instead of 4% if you’re based in the UK – maybe that will be an offer in a post-Brexit world to keep digital businesses in the UK whilst maintaining equivalence on the compliance requirements of GDPR. Whether the EU would argue that was actually a derogation of equivalence, we’d have to see,’ says Jones.
In-house lawyers can play an important role in supporting the DPO to spread engagement and understanding across the business, particularly as they may enjoy closer relationships with the functions they support than the data protection team itself. Alongside designing their processes with privacy in mind, the legal team can be instrumental in getting past the fear factor and selling the commercial case for GDPR compliance.
‘In-house lawyers will be able to spot where slight adjustments to existing confidentiality processes can help get to a privacy-compliant starting point. It is then a much easier task to add incremental changes to an existing process to meet new obligations,’ says Barakzai.
‘It then ceases to be an instruction coming from the top down, for something that may be forgotten because is it not part of a daily activity.’
Security expert Cal Leeming echoes this sentiment, if more boldly: ‘You can treat GDPR as a baseline and say “If I go an iota underneath it, I will fail.” But rather than keep the minimum requirements, treat GDPR like an exam. You wouldn’t just try and aim for Cs – you would aim for as high as you can.’